Health Insurance Portability and Accountability Act

Technology is being increasingly used by healthcare providers to store and exchange the medical information of patients. While this has made it easier to gather and use information as needed, the use of technology in healthcare has also brought up many issues related to privacy and security.

To protect the sensitive information of patients, the U.S. government has come up with two items of legislation: Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). One of the aims of HIPAA is to protect the privacy of patients, so that healthcare providers, medical device manufacturers, insurance companies and any other entity involved in the collection and storage of patients' information have to abide by the provisions of HIPAA. The HITECH Act, on the other hand, is designed to promote the use of technology in healthcare. It offers incentives for companies that adopt any kind of electronic health record system. There are also civil penalties for healthcare providers that willfully avoid the use of technology in their operations.

For healthcare providers, these two acts throw up a lot of challenges. They have to electronically store patient information under HITECH and at the same time, they have to safeguard it from unauthorized access under HIPAA. To meet both these requirements, they turn to medical device manufacturers. This puts a lot of pressure on these manufacturing companies because they have to come up with devices that store patient information in a safe and secure way. The first step towards this objective is to understand what falls within the scope of HIPAA and HITECH.

Any information that can identify a particular individual is called Protected Health Information (PHI). To qualify under HIPAA, this information should have been created by a healthcare provider, employer or health insurance company and this should be the past, present or future health condition of a person. When information meets the above requirements, it will fall under HIPAA which means the device manufacturer should come up with a secure way to store this information in their devices.